Question:

How does free() know how much memory to release?

Answer:

There's no standard way. It can vary from compiler to compiler, even from version to version of the same compiler. free(), malloc(), calloc(), and realloc() are functions; as long as they all work the same way, they can work any way that works.

Most implementations take advantage of the same trick, though. When malloc() (or one of the other allocation functions) allocates a block of memory, it grabs a little more than it was asked to grab. malloc()doesn't return the address of the beginning of this block. Instead, it returns a pointer a little bit after that.

At the very beginning of the block, before the address returned, malloc() stores some information, such as how big the block is. (If this information gets overwritten, you'll have wild pointer problems when you free the memory.)

There's no guarantee free() works this way. It could use a table of allocated addresses and their lengths. It could store the data at the end of the block (beyond the length requested by the call to malloc()). It could store a pointer rather than a count.